Follow us

Million breached records from websites in 2021 as in a textbook

Collection of OWASP Top 10 list with recent breach examples

Published: November 11, 2021 By Sabrina Lupsan

A web developer writing code

Image source – pixabay.com

According to a trusted source, over 18 million websites are infected at any given time in the world.

The new OWASP Top 10 list for 2021 is out and contains the most common attack vectors.

Below, you can see the total occurrences of those vulnerabilities identified by the OWASP Foundation in their research.


Vulnerability

Total Occurrences

Broken Access Control

318,487

Cryptographic Failures

233,788

Injection

274,228

Insecure Design

262,407

Security Misconfiguration

208,387

Vulnerable and Outdated Components

30,457

Identification and Authentication Failures

132,195

Security Logging and Monitoring Failures

53,615

Server-Side Request Forgery (SSRF)

9,503

In this article, you will see a few practical examples of the most common attack vectors and how to fix them.

Microsoft data breach exposed 30k organizations

In March 2021, Microsoft was attached by a Hafnium, a Chinese group of hackers. They managed to steal data belonging to over 30,000 organizations.

According to Microsoft, Hafnium managed to gain access into Microsoft Exchange Servers by using stolen credentials and by exploiting other vulnerabilities. After that, they executed a web shell against the servers and controlled those servers remotely. Using it, they were able to steal the data.

A web shell is an extremely dangerous server-side attack. It can allow an attacker to run commands remotely, browse the resources of the web application and exploit other vulnerabilities.

It is very important to understand that web applications are very important attack vectors that can allow hackers to steal data, change the behaviour of the web application and even gain access to the server machine.

We will now look at the OWASP Top 10 list and see a few examples of attacks and how to prevent them.

The OWASP Top 10 list

OWASP Top 10 2021

Image source – owasptopten.org

1. Broken Access Control

Socialarks, a Chinese social media company, was affected by a cybersecurity attack determined by broken access control. In January 2021, 214 million accounts were leaked by a data breach, revealing data such as names, phone numbers, profile pictures, information addresses, and many others. These accounts were spread out across Facebook, Instagram and LinkedIn.

Access Control vulnerabilities allow attackers to bypass authentication, read user’s private information, edit accounts and elevate privileges.

These types of vulnerabilities can be leveraged by changing parameters in URLs, modifying the HTML in web pages or using software that can intercept and change requests made by the application.

A very simple example of Broken Access Control is modifying the URL and successfully accessing another user’s account this way:

https://website.com/account=admin

I will show you a very quick example of how to access another user’s resources using the website Juice Shop, a vulnerable created by the OWASP Top 10 foundation for learning and demonstration purposes.

You can try this example along with me. All you need is:

I will navigate to Juice Shop and create two accounts. Next, I will add different products to both of the accounts’ baskets, intercepting the traffic with Burp Suite and taking note of the requests.

The GET request for the user 39’s basket

First account’s basket.

The GET request for the user 40’s basket

Second account’s basket.

Great. Notice how there are different numbers in the GET request, after /rest/basket/? These are some kind of identifiers, maybe account IDs. What happens if we change them?

In Burp Suite, right click on the intercepted traffic and click “Send to repeater”, just like in the image. Go to the “Repeater” page, where you can modify requests.

The intercepted request to see your basket

Now, we can modify our request. Of course, we can try different numbers for the requests, but we already know that we have an account with the number 39. Therefore, changing the GET request and sending it, we get back the basket of another user’s.

The altered request to see user 39’s basket

How is this dangerous? you may ask yourself. Well, looking on the right, we can see fields such as “id” and “coupon”. In this example, an attacker may use another user’s coupon or even steal other data, like home address or phone number, if it is fetched in that request.

This was a quick and simple example of Broken Access Control. Of course, there are even more sophisticated methods to replicate this type of attack, hence its position as number 1 on the OWASP Top 10 list.

2. Cryptographic Failures

In February of 2021, more than 3.2 billion clear-text credentials valid on Netflix, LinkedIn, Bitcoin, Yahoo, and others, all stored in one database, were leaked on a hacking forum. These credentials should have never been stored in plain text.

Sending data in plain text, using weak algorithms or keys, and not having SSL certificates to encrypt data are just a few examples of cryptographic failures.

The power a normal computer has nowadays can easily break algorithms or keys in a few minutes or hours. If deprecated cryptographic algorithms are used, they create a false sense of security and allow attackers to brute force their way into systems.

For example, some algorithms were very strong in the past, but now are considered cryptographically insecure. Such algorithms are MD5 (Message Digest Algorithm) for hashing and DES (Data Encryption Standard) for encryption.

3. Injection

In October 2021, BQE Software, a company that provides accounting and billing services online, was successfully hacked through SQL Injection, allowing the attackers to steal sensitive data, perform remote code execution and deploy other malicious attacks. BQE has more than 400,000 users.

A successful injection can change the behaviour of a web app, reveal sensitive information or even allow an attacker to gain control of the server machine. This happens by concatenating a payload to existent code and changing the functionality of the commands.

Most common types of injection are SQL, NoSQL, OS commands and others.

Injection can occur if, for example, the input received from users is not sanitized properly (therefore meta characters which can break a command are allowed), or the source code does not contain prepared statements.

We will, once again, put to test the Juice Shop website and perform a very simple SQL Injection on it.

After enumerating the website for a little bit, we find a valid account and its password: [email protected]. The fact that we can find email addresses on the website is another weakness, but that is out of scope.

Now, let’s attempt to login as that user without knowing their password!

Logging in with SQL Injection

As you can see, for the email, I wrote bender’s email, followed by a ‘ and two dashes --:

[email protected]'--

This may seem strange, but it is a common way to escape an SQL query.

In order to log in, there is usually a SELECT statement that checks if the user with those credentials exists. Such a SELECT statement may look like this:

SELECT * FROM Users WHERE email = ‘@email’ AND password = ‘@password’.

However, the payload we’re providing comments the rest of the SELECT statement after the username using the two dashes. We get the following SELECT statement, which always succeeds if that user exists (and we know it does):

SELECT * FROM Users WHERE email = ‘[email protected]

As you can see, the password is not even included in the statement anymore, so you can write anything, it doesn’t matter – it doesn’t reach that part.

The SQL Injection performed to log in as Bender.

I intercepted the request to see the final payload. Notice the parameters “email” and “password” followed by the data I supplied.

I forwarded the traffic and there you go: we are logged in as Bender.

The SQL Injection was successful

4. Insecure Design

In the context of the COVID-19 pandemic, the giant US pharmacy chain Walgreens had a vulnerability, in 2021, on their website that allowed anyone to access patients’ personal information such as name, results of the COVID-19 test, phone number, address, and others.

If an attacker has so much information about their victim, they can easily send targeted ads and phishing emails. For example, if someone took a COVID-19 test at Walgreens and it came out positive, phishing emails promising miraculous cures and cheaper medicine could easily trick a scared patient into clicking links or paying money to hackers.

Insecure design is an abstract notion that means that a perfectly secure implementation of that design does not produce, as a result, a secure application.

An example to better understand this is the usage of 1FA – 1 Factor Authentication. Applications that only use a password (even if it is a strong password) do not prevent attacks like phishing from succeeding, even if the password is very strong or it is stored in a secure way.

5. Security Misconfiguration

More than 300 job candidates’ resumes were leaked on an anti-abortion group website in Texas after allowing anyone to access files. The files were stored in directories visible by anyone, representing a security misconfiguration. The leaked information included name, phone numbers, address, and, of course, job history.

Security misconfigurations include a wide range of errors:

  • Outdated software (some software is not even sustainable anymore. If software is too old, it may not be included in security patches anymore)
  • Default credentials
  • Unnecessary privileges and features are used (for example, a user is given more rights than they should have)
  • Error handling discloses information it shouldn’t

Sometimes, error handling can tell a user a lot. The programming language, technologies used, versions etc. We will take a look into Juice Shop’s “ftp” directory, discovered when enumerating the website. We can see a few files there.

The files located in the /ftp directory of Juice Shop

Clicking on “coupons_2013.md.bak”, we are redirected to an error page that discloses A LOT of information.

The error received when accessing coupons_2013.md.bak

Because of this error, we can see:

  • Fie upload restrictions (for example, an attacker may try to include files with the extensions .md and .pdf, now that they know what the restrictions are exactly)
  • technologies (Node.js with Express)
  • versions (4.17.1)
  • files (index.js, layer.js)
  • functions

These kinds of errors should be handled correctly and should not disclose such information to a normal (or malicious) user.

6. Vulnerable and Outdated Components

A very old and famous Windows vulnerability, MS17-010, also known as EternalBlue, was identified in an 11-year-old, unpatched Adobe ColdFusion server bug. By exploiting this vulnerability, an attack or group of attackers was able to plant the Cring Ransomware.

Outdated software or hardware, that are not periodically updated and patched, may create a backdoor in a system. Components should be checked for vulnerabilities periodically and tested after updates.

This is also applicable to IoT devices, which are connected to the network and may become a backdoor unless they are patched.

7. Identification and Authentication Failures

Unauthorized access was permitted in October 2021 in Twitch’s databases. The live streaming platform giant was hacked and its database, along with private users’ information was leaked. But that was not the only impact on the company’s reputation; the entire source code, internal penetration testing, and red teaming cybersecurity tools, and many other technologies were also revealed.

The hackers were able to access the servers unauthenticated due to a misconfiguration.

This item on the list is connected with the 2nd item, Cryptographic Failures.

Identification and Authentication Failures occur when:

  • Passwords are stored in plain text, encrypted or hashed with a weak algorithm.
  • Strict password rules are not applied (so passwords are not strong enough)
  • Brute-force attacks are allowed
  • Multi-factor authentication is not implemented
  • Credential recovery is weak and uses questions
  • The session identifier is exposed in the URL

8. Software and Data Integrity Failures

Due to a third-party data breach, Carter’s, the US baby clothing brand, exposed highly sensitive information such as names, billing information, phone numbers, and addresses. The company was attacked on June 20. The attack leaked the private data of more than 400,000 customers.

This kind of vulnerability is produced when an application requires the usage of third-party plugins, applications, extensions that come from untrusted sources. This can open the door to malicious programs.

Another problem is when new updates are done automatically, without a consistent verification of legitimacy.

9. Security Logging and Monitoring Failures

The last of the 3A’s principle of cybersecurity (Authentication, Authorization and Accounting) is lost when security logging and monitoring failures appear.

Keeping records of users’ actions does two things:

  • holds them accountable in case of a suspicious action or a cybersecurity incident
  • discourages users from breaking good practices in the organization.

Accounting can be accomplished by logging the activities of individuals that can later be accessed for forensics.

10. Server-Side Request Forgery

One of the vulnerabilities exploited in the Microsoft data breach, mentioned in the first chapter of this article, that occurred in March 2021, is CVE-2021-26855. It is a Server-Side Request Forgery (SSRF) vulnerability allowing attackers to send arbitrary HTTP requests and authenticate as the Exchange server, according to Microsoft.

Server-Side Request Forgery, or SSRF, means allowing a user to fetch remote resources or other domains than the one intended, of the attacker’s choosing, therefore bypassing firewalls, ACLs, VPNs.

An example of SSRF is changing the parameters given in the URL and attempting to bypass security measures. For example, if an online shopping website is waiting for an URL as parameter for a product that is to be added to a basket, an attacker may replace that URL with a different one, redirecting the application to the administrator’s page.

Therefore, if the application would behave normally in the following conditions:

product = https://somewebsite/productID=8

A Server-Side Request Forgery vulnerability would allow a hacker to access the admin’s page in the following way:

product = https://somewebsite/admin

Prevention methods & recommendations

1. Broken Access Control

  • Make sure you log failed login and access control failures
  • Minimize Cross-Origin Resource Sharing (CORS) usage
  • Generally deny by default access (instead of accepting it) for non-public resources

2. Cryptographic Failures

  • Encrypt data at rest and in transit
  • Only store necessary data
  • Make sure you are using the strongest cryptographic algorithms
  • Maintain very good secret key management
  • Accept only strong passwords
  • Hash all of the passwords and make sure you are using salt (and eventually pepper) to increase the security

3. Injection

  • Sanitize user input by:
    • not accepting meta characters (i.e., single or double quotes),
    • limiting the amount of data accepted,
    • restricting the user to a set of allowed values
  • Use prepared (or parameterized) statements to prevent SQL Injection
  • Treat every input you receive as dangerous; it’s better to assume the worst
  • Test your application: try common injection payloads to see if it is vulnerable

4. Insecure Design

  • Use design patterns and clean code principles to maintain high quality of your source code
  • Use unit tests to see if there are any flaws or gaps in your design
  • Limit resource consumption to avoid DoS
  • Use threat modeling to ensure correct authentication and a good business logic.

5. Security Misconfiguration

  • Make sure to change all of the default passwords for the services used
  • Do not use any unnecessary plugins, extensions, features, applications, frameworks in the development of the application
  • Perform automated tests to discover flaws in the system

6. Vulnerable and Outdated Components

  • Replace outdated software
  • Make sure you’re not using software or hardware that is not maintained and does not receive patches and updates
  • Remove unnecessary dependencies and files

7. Identification and Authentication Failures

  • Do not allow weak passwords
  • Make sure all of the default credentials for the services used have been changed
  • Use multi-factor authentication
  • Make sure enumeration against existent users is not possible (if a user inputs the right username and the wrong password, do not confirm that the username is correct)

8. Software and Data Integrity Failures

  • Use digital signatures
  • Make sure you’re periodically checking your software for malicious code injection
  • Make sure libraries and dependencies only use trusted repositories

9. Security Logging and Monitoring Failures

  • Log everytime a user fails to log in or there is broken access control
  • Ensure safe storage of log files
  • Review the logs periodically

10. Server-Side Request Forgery

  • Only allow necessary traffic and deny everything else through firewall, ACLs
  • Sanitize user input data
  • Don’t send raw data to clients
  • Disable HTTP redirections
  • Make sure you’re not allowing users to access local files
  • Thoroughly test your web application

Conclusion

There are many ways in which a web application can be compromised. This is why it is very important to make sure you’re taking all of the precautions and making that extra effort to secure your app.

Make sure to read the recommendations in this article and the ones on the OWASP foundation website and thoroughly test your application for any security vulnerabilities.

Do you have any other recommendations of protection measures against the vulnerabilities exposed in the OWAP Top 10 list?

Author
Sabrina Lupsan
Sabrina Lupșan is a writer at CoolTechZone, a cybersecurity enthusiast, and a future penetration tester. She holds a Bachelor’s degree in Computer Science and Economics.

Leave a comment

click to select